Call Now (208) 904 - 3710
questions@khanmarshall.com

HIPAA AUDIT CHECKLIST

Khan & Marshall > HIPAA Digest > Uncategorized > HIPAA AUDIT CHECKLIST

Tick off each of these items below, to perform an informal HIPAA preparedness assessment of your organization.

  • Able to identify the security official who is responsible for the development and implementation of HIPAA
  • Have conducted a comprehensive risk assessment of potential security risks and vulnerabilities and ensure any items identified in the risk assessment have been completed or are on a reasonable timeline to be completed.
  • Able to provide a detailed risk management strategy
  • Can provide details of the procedure when responding to suspected or known security incidents
  • All necessary privacy and security documentation is readily available and up to date
  • Able to demonstrate that security controls are working, be able to examine activity in information systems that contain or use PHI, and show that your organization has implemented procedures to regularly review records of audit logs, access reports, and security incident tracking
  • Can confirm that a facility security plan for each physical location that stores or otherwise has access to PHI has been adopted, in addition to any security policies that require a physical security plan
  • Conduct a full review of HIPAA security policies to identify any actions that have not been completed as required (e.g. physical security plans, disaster recovery plan, emergency access procedures, etc.) to meet HIPAA compliance
  • Can ensure a breach notification policy has been implemented, and accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards
  • In addition to a website privacy notice, a compliant Notice of Privacy Practices is available
  • Can confirm that all systems and software that transmit electronic PHI use encryption technology, or provide a documented risk analysis supporting the decision not to employ encryption
  • Are able to show that your organization has reasonable and appropriate safeguards in place for all forms of PHI – both in transit and at rest
  • Able to demonstrate that sufficient procedures have been implemented for the authorization and/or supervision of employees who work with PHI or in locations where it might be accessed, including methods of authentication
  • Can show that a process is in place for terminating access to PHI after a period of inactivity
  • Able to demonstrate that sufficient procedures have been implemented to determine that the access level of an employee to PHI is appropriate
  • Can prove that sufficient procedures are in place to terminate access to PHI when an employee leaves an organization
  • Can prove that your organization has Implemented policies and procedures to protect PHI from improper alteration or destruction
  • Have the capability to remote wipe and disable a device that holds PHI
  • Able to show that your organization maintains an accurate inventory of information system assets, including mobile devices (also applicable to a BYOD environment)
  • Have performed checks for malicious software
  • Have a robust process in place for password creation and password changes in place
  • Have a complete inventory of all covered entities and business associates available
  • Can ensure that appropriate business associate agreements have been executed
  • Are able to provide evidence that the workforce has received HIPAA training
  • Have conducted a ‘self-audit’ to check how well policies and procedures are being carried out throughout the organization
Source: Scrypt